JP4518070B2 - Packet filter verification packet generation method, verification packet generation device, verification packet generation program, packet filter test method, packet filter test device - Google Patents

Description

The present invention, verifying packet generation method for verifying the set of packet filters to be set in a network device such as a router, verifying packet generator, verifying packet generation program, test methods packet filter relates tester packet filter The packet filter settings can be verified comprehensively and efficiently.

The packet filter is set in a network device such as a router, checks the header information of a packet input to the network device, and performs a process of passing or discarding the packet. In general, a filter rule for performing filter processing on the WAN side of the network device (WAN side filter) and a filter rule for performing filter processing on the LAN side (LAN side filter) are set for the packet filter. In addition, a filter rule for a packet transmitted from the WAN side to the LAN side and a filter rule for a packet transmitted from the LAN side to the WAN side are set in the WAN side filter and the LAN side filter, respectively. In many cases, the packet filter checks the following contents (packet attributes) included in the header information. Hereinafter, these check items are referred to as “judgment conditions”.
-Start point (source) IP address (source address)
-Start (source) port number (source port)
・ Protocol
-Destination (destination) IP address (destination address)
-Destination (recipient) port number (destination port)

  A typical packet filter setting consists of a plurality of rules arranged in order. Here, the “rule” is a combination of “judgment condition” and “operation”. As for the “judgment condition”, it is normal that a plurality of values can be designated by one rule. For example, the start port number can be specified in a numerical value range (or numerical value enumeration) such as “1024 to 65535”. In this numerical range specification example, this determination condition is met (that is, it belongs to the range of 1024 to 65535) regardless of whether the starting point port number is 1024 or 1025. “Operation” is “pass” or “reject”.

  In many cases, the packet filter process executes the process shown in FIG. 2 every time a packet is received. That is, when one packet is received (S0), the attribute information included in the header information attached to the packet is compared with the determination condition of the first rule 1, and whether the packet matches the determination condition. It is determined whether or not (S1). If they match, the packet is passed or discarded according to the operation set in rule 1 (S1a), and the process is terminated there. If they do not match, the process proceeds to the next rule 2, and determination and processing (S2, S3) are executed in the same manner. If the result of the determination and processing (Sn, Sna) is the same as that of the last rule n, and the result does not match any of the rules 1 to n, the packet is passed or discarded according to the default rule. The process is terminated (Sn + 1). In this manner, the rules 1 to n are sequentially determined until the determination condition is satisfied for each received packet (until the last rule n if not).

  Many rules may be set by the user in the packet filter, and setting mistakes are likely to occur by setting the rules in the wrong order or by setting a plurality of contradictory (incompatible) rules. Therefore, after setting a rule in the packet filter, it is necessary to verify whether the packet filter is set as intended by the user.

In order to verify whether the packet filter is set as intended by the user, a dummy packet (verification packet) is conventionally generated and input to the packet filter to examine the behavior of the packet filter. It has been broken. For this verification, a technology called port scan is used. In the port scan, for example, when verifying the setting of the filter rule of the WAN side filter for the packet sent from the WAN side to the LAN side, the protocol (TCP, UDP, etc.), the start point IP address (the other party's global IP address), the start point port Number (partner port number) and end point IP address (own side global IP address) are fixedly set, and the end point port number (own side port number) is changed in the entire range of 0 to 65535, for example. Are sequentially input to the packet filter, and the destination port number through which the packet passes is identified. The user determines that the filter rule of the WAN side filter for the packet sent from the WAN side to the LAN side of the packet filter set in his network device is as his / her intended from the end port number thus identified. It can be verified whether it is set. The following Non-Patent Document 1 is a document that describes verifying packet filter settings using port scanning.
"Port number quick lookup and utilization dictionary for server administrators" by Kojiro Mochimaru, Nihon Jitsugyo Publishing Co., Ltd., issued on June 1, 2003, P.I. 61-64

In general, the port scan for verifying the setting of the filter rule of the WAN side filter for the packet sent from the WAN side to the LAN side includes the protocol, the start point IP address, the start point port number, and the end point IP address as described above. This is performed by sequentially generating verification packets that are fixedly set and whose end point port number is changed within a predetermined range (for example, 0 to 65535). However, there are various combinations of the start point IP address and the start point port number, and the port scan result may differ depending on the combination. For example, even if a packet transmitted from a certain terminal (combination of one starting point IP address and a starting point port number) is discarded at a certain destination port number of a certain destination IP address, another terminal (other one starting point IP) A packet transmitted from a combination of an address and a start port number (attributes other than the start point IP address and start point port number are the same as the previous packet) may pass through the same end point port number of the same end point IP address. In such a case, only by performing a port scan for a specific combination of the start IP address and the start port number, the setting of the filter rule of the WAN side filter for the packet sent from the WAN side to the LAN side is comprehensively verified. Must not. On the other hand, in order to verify all the possible range as a combination of source IP address and source port number must be examined a combination of two ⁴⁸ ways (source IP address 2 ³² patterns × source port number 2 ¹⁶ combinations), the port Scanning takes a lot of time and is not realistic.

The present invention has been made in view of the above-described points. The packet filter settings can be comprehensively verified without verifying all the possible ranges of combinations of determination conditions, and the packet filter settings can be verified. verifying packets generated methods to allow comprehensively and efficiently, verifying packet generator, verifying packet generation program, test methods packet filters, it is intended to provide a test device of the packet filter.

  The verification packet generation method according to the present invention is a packet in which a plurality of determination conditions relating to packet attributes and a plurality of rules defining the operation of passing or discarding the packet when the packet attributes meet the plurality of determination conditions. For a filter, a plurality of appropriate rules (for example, at least one attribute that is applied to a packet communicated in the same direction among all the rules set in the packet filter and included in the determination condition is commonly set between the rules) A method for generating a verification packet for verifying the setting of all the rules), and for the set of a combination of a plurality of appropriate attributes of the packet, the appropriate plurality of rules are applicable alone in the entire set Each region, any individual region to which any plurality of rules among the plurality of appropriate rules correspond, Each sample point is selected from an area to which none of the plurality of rules correspond, and the appropriate combination of the plurality of attributes is sequentially changed to each selected sample point, and another attribute is set for each sample point. The verification packets set by sequentially changing are sequentially generated. Attributes common to the rules of the verification packet (attributes other than the appropriate plurality of attributes and the other attributes) can be fixedly set to the common attributes.

  According to the present invention, the results of passing and discarding packets (packets having the same attributes other than the sample points) to the packet filter are the same regardless of which sample point is used in each region. By generating verification packets for selected sample points for each region, the packet filter settings can be comprehensively verified with a limited number of verification packets, and the verification of the packet filter settings can be comprehensively verified. And can be performed efficiently.

  The verification packet generation method of the present invention is applied to, for example, a packet communicated from the WAN side to the LAN side among all the rules of the WAN side filter, and a plurality of protocols and end point IP addresses are commonly set between the rules. When verifying the rule settings, for a set of combinations of the start point IP address and the start point port number, individual areas to which the plurality of rules to be verified alone correspond in the entire set, of the plurality of rules An attribute in which a sample point is selected from an individual area to which any of a plurality of rules correspond, and an area to which none of the plurality of rules corresponds, and a protocol and an end point IP address are set in common between the rules. And a combination of the start point IP address and start point port number for each selected sample point. Set by the following changes, and may be one that is sequentially changed in an appropriate range destination port number for each said sample points sequentially generating a validation packet set.

The verification packet generator of the present invention executes the verification packet generation method of the present invention. The verification packet generation program of the present invention causes a processing device to execute the verification packet generation method of the present invention . Test method for packet filter of this invention enter the verification packets sequentially generated by verifying packet generation method of the present invention in the packet filter is intended to operate the packet filter. The packet filter test apparatus according to the present invention executes the packet filter test method according to the present invention.

  Embodiments of the present invention will be described below. FIG. 3 shows an overall system configuration and functional blocks in the router 10. In this embodiment, a verification packet generation device and a test device for performing a test operation of a packet filter using a verification packet generated from the device are built in the router 10. First, parts used in normal communication will be described. The router 10 is connected to the WAN side (Internet side) 14 via the Ethernet (registered trademark) interface 12, and connected to the LAN side 18 via the Ethernet interface 16, so that the WAN side 14 and the LAN side 18 can communicate with each other. It is possible.

  The packet transfer processing unit 22 in the router 10 includes a packet filter 24. The packet filter 24 cascadely sets a plurality of rules that define a plurality of determination conditions related to packet attributes and the operation of passing or discarding the packet when the packet attributes meet the plurality of determination conditions. Check whether the attribute of the input packet matches the criteria specified in any of the above rules, starting with the first rule, and if there is a match, the action specified in that rule The operation is set so as to pass or discard the packet and terminate the process, and when no rule matches up to the last rule, the packet is passed or discarded.

  The packet filter 24 includes a WAN filter that performs processing on the WAN side and a LAN filter that performs processing on the LAN side. In both filters, a filter rule for a packet transmitted from the WAN side 14 toward the LAN side 18 and a filter rule for a packet transmitted from the LAN side 18 toward the WAN side 14 are set. Setting of the filter rule of the packet filter 24 is performed via the Ethernet interface 16 (or a serial interface prepared separately) by a user's operation from the computer on the LAN side 18. The filter rule set by the user is stored in the packet filter setting unit (memory) 32, and the packet filter 24 is set to contents corresponding to this stored data.

  Packets transmitted from the WAN side 14 are received by the packet reception processing unit 20 of the Ethernet interface 12 and supplied to the packet transfer processing unit 22. The packet filter 24 in the packet transfer processing unit 22 compares the header information of the received packet with the rules set in the packet filter 24 (filter rules for packets transmitted from the WAN side 14 toward the LAN side 18). For example, the packet filtering process shown in FIG. 2 is executed to perform a process of passing or discarding each packet. This packet filter processing is first performed for the WAN-side filter, and is further performed for the LAN-side filter for packets that have passed through the WAN-side filter. The packet that has passed through the packet filter 24 is transferred to the computer on the LAN side 18 via the packet transmission processing unit 26 of the Ethernet interface 16.

  On the other hand, a packet transmitted from the computer on the LAN side 18 is received by the packet reception processing unit 28 of the Ethernet interface 16 and supplied to the packet transfer processing unit 22. The packet filter 24 of the packet transfer processing unit 22 collates the header information of the received packet with the rules set in the packet filter 24 (filter rules for packets transmitted from the LAN side 18 to the WAN side 14), For example, the packet filter process shown in FIG. 2 is executed, and a process of passing or discarding each packet is performed. This packet filter processing is first performed on the LAN side filter, and further performed on the WAN side filter for packets that have passed through the LAN side filter. The packet that has passed through the packet filter 24 is transferred to the WAN side 14 via the packet transmission processing unit 30 of the Ethernet interface 12.

  Next, the verification packet generation device and the test device in the router 10 will be described. Here, among all the filter rules set in the packet filter 24, the filter rule of the WAN side filter for the packet sent from the WAN side to the LAN side (the global IP address assigned to the router 10 is commonly set as the end point IP address). Will be described. FIG. 1 shows a test (port scan) procedure of the packet filter 24 using a verification packet. When the user instructs preparation for port scanning from the computer on the LAN side 18 (S10), the protocol, the end point IP address, and the port scanning range are set among the attributes to be added to the verification packet by the user's operation or automatically ( S11). The protocol of a rule to be verified among TCP, UDP, etc. is set by a user operation. As the end point IP address, a global IP address assigned to the router 10 is set by a user operation or automatically. The end point port number is set by the user's operation or automatically within the scan range of the port number of the router 10 (0 to 65535 when the entire range is scanned). It should be noted that the filter type (WAN side filter or LAN side filter) can be selected and tested, or the packet transmission direction (from the WAN side 14 to the LAN side 18 or from the LAN side 18 to the WAN side 14). If it is possible to test by selecting the transmission type, the filter type and the packet transmission direction are set by the user's operation.

  When the attribute of the verification packet is set, all the rules applied to the protocol set in the attribute setting of the verification packet among the filter rules of the WAN side filter for the packet sent from the WAN side to the LAN side set in the packet filter 24 In regard to a set by a combination of the start point IP address and start point port number set in each rule, individual areas to which each rule corresponds independently in the entire set, and a plurality of arbitrary rules among these rules are common Sample points are automatically selected one by one from the individual areas corresponding to the above and areas where none of the rules correspond (S12).

  In this state, the port scan standby state is entered, and when the user instructs the start of the port scan (S13), the protocol and the end point IP address are fixedly set to the values set in the attribute setting of the verification packet, and the start point IP address and start point port A combination of numbers is sequentially changed and set for each of the selected sample points, and a verification packet in which the end point port number is sequentially changed and set within the range set in the attribute setting of the verification packet is automatically and sequentially generated, A port scan is performed by supplying the data to the WAN filter for packets sent from the WAN side to the LAN side set in the packet filter 24 (S14).

  When the port scan by all the verification packets is completed, the results of passing and discarding of each verification packet by the port scan are automatically totaled, and for example, attribute information of the passed packets (start IP address, start port number, end port number) , Protocol, etc.) are displayed on the display of the computer on the LAN side 18 (S15). The user can verify the setting of the filter rule of the WAN side filter for the packet sent from the WAN side to the LAN side out of all the filter rules set in the packet filter 24 by looking at this result. When verifying another protocol, the protocol setting is changed in the attribute setting (S11) of the verification packet, and the port scan is executed in the same procedure as described above.

  The router 10 of FIG. 3 that executes the above processing will be described. The port scan setting unit (memory) 34 stores the attribute of the verification packet set in the attribute setting of the verification packet (S11 in FIG. 1). The setting analysis processing unit 36 selects the sample points as a port scan preparation stage based on the filter rules set in the packet filter setting unit 32 and the verification packet attributes set in the port scan setting unit 34. (S12) is executed. After the sample point is selected and the preparation for the port scan is completed, the port scan processing unit 38 receives a port scan start instruction (S13) from the user, and sets the end port number for each selected sample point. A verification packet that is sequentially changed within a set range is generated. The verification packet is directly input to the packet transfer processing unit 22, and is supplied to the WAN filter of the packet filter 24 to execute filter processing (port scan) (S14).

  The result of passing and discarding each verification packet by the port scan is transmitted to the port scan processing unit 38. Based on this result, the port scan processing unit 38 collects information on the packets that have passed (starting point IP address, starting point port number, end point port number, protocol, etc.) and sends them to the computer on the LAN side 18 via the port scan result output unit 40. Send it out. The computer displays the information on a display. The user looks at this display and verifies the setting of the packet filter 24.

  It should be noted that by embedding special identification data in the verification packet generated from the port scan processing unit 38, it is possible to perform processing that distinguishes it from normal communication packets. Using this identification information, for example, the port scan process can be executed only for a packet in which this identification data is detected. Further, by discarding the packet in which identification data is detected among the packets that have passed through the packet filter 24 in the router 10, it is possible to prevent the verification packet from leaking to the network side (WAN side 14).

  Here, the sample point selection processing of the combination of the start point IP address and the start point port number by the setting analysis processing unit 36 will be described. Here, filter rules applied to packets transmitted from the WAN side 14 to the LAN side 18 among the WAN side filters of the packet filter 24 are R1 to Rn. In these rules R1 to Rn, the global IP address assigned to the router 10 is commonly set as the destination IP address, and the protocol is commonly set to the protocol set in the attribute setting of the verification packet (S11 in FIG. 1). It is assumed that A combination of the start point IP address and the start point port number set in the rules R1 to Rn is represented by Ci (i = 1, 2,..., N). Here, for convenience of explanation, it is assumed that three rules R1, R2, and R3 are set. The input packet is filtered in the order of R1 → R2 → R3 in accordance with the packet filtering process of FIG. 2, and is passed or discarded according to the operation defined in the rule when the determination conditions are matched. A packet that does not match the determination condition of any rule is passed or discarded according to the default rule.

FIG. 4 schematically shows each set C1 to C3 of combinations of the start point IP address and the start point port number in the rules R1 to R3, with the start point IP address on the horizontal axis and the start point port number on the vertical axis. The entire set of combinations of the starting point IP address and the starting point port number is divided into individual areas to which each set Ci corresponds independently, individual areas to which any of a plurality of sets Ci correspond to each other, and each set Ci Are also classified as non-applicable areas. The number of cases in these areas is 2 ⁿ (therefore, the number of cases in areas is 8 if the set is three of C1, C2, and C3). When a portion that does not belong to each set Ci (that is, a complementary set) is represented by −Ci, each region Sj (j = 1, 2, 3,..., 2 ⁿ ) is represented by the following formula (* is a product set). To express).
S1: C1 * C2 * C3
S2: -C1 * C2 * C3
S3: C1 * -C2 * C3
S4: C1 * C2 * -C3
S5: -C1 * -C2 * C3
S6: C1 * -C2 * -C3
S7: -C1 * C2 * -C3
S8: -C1 * -C2 * -C3

  When there is an area that becomes an empty set among these areas (when there is no area that corresponds to a plurality of sets in common), the area that becomes the empty set is removed. Also, when there are a plurality of areas that match each other (when the same rule is set redundantly), only one area is left and the others are removed. An arbitrary sample point is selected from each of the remaining areas (empty set; if there is no matching area, all 8 points) are selected. As a processing technique for selecting a sample point from each region, a figure cutting algorithm can be used. As such an algorithm, for example, Polygon Clipping called Sutherland-Hodgman method can be used. According to this Polygon Clipping, the vertices of the polygons constituting each area can be obtained, so that one of the vertex positions of each area can be selected as a sample point. Note that one area may be divided into a plurality of locations on the schematic diagram of FIG. 4 (for example, when a set based on two rules intersects on the cross on FIG. In such a case, it is not necessary to select a sample point for each divided region, and one sample may be selected from the entire divided region. However, there is no problem even if sample points are selected for each divided region.

  For each sample point (combination of the start point IP address and start point port number) selected from each region as described above, the end point port number is set in the range set in the attribute setting of the verification packet (S11 in FIG. 1) (for example, 0 to 65535) are sequentially generated and the port scan is performed. According to this, since the results of passing and discarding are the same regardless of where in the same region, if one port scan is performed for one sample point in one region, the entire region is port scanned. This eliminates unnecessary port scanning. In addition, since the port scan is performed for the sample points in all areas except the empty set and the coincidence area, it is the same as the port scan for the entire combination of the start point IP address and the start point port number, and the port scan without omission can be performed.

Next, a specific example will be described. Here, of the rules set in the WAN filter of the packet filter 24, two rules 1 and 2 shown in Table 1 are set as rules applied to packets transmitted from the WAN side 14 to the LAN side 18. And

When the user instructs to prepare for port scanning, the setting analysis processing unit 36 in FIG. 3 sets rule 1 and rule 2 in the entire set for the set of combinations of the start IP address and start port number of each rule 1 and 2. Each region Xs1, Xs2 corresponding to 2 alone, region Xs3 corresponding to rules 1 and 2 in common, and region Xs4 not corresponding to rules 1 and 2 are obtained, and one sample point is obtained from each region Xs1 to Xs4. Each one is selected (S12 in FIG. 1). FIG. 5 schematically shows the regions Xs1 to Xs4. If the set and complement of the combination of the start point IP address and the start point port number according to rule 1 are C1 and −C1, respectively, and the set and complement of the combination according to rule 2 are C2 and −C2, respectively, the regions Xs1 to Xs4 are respectively It is expressed by the following formula.
Xs1: C1 * -C2
Xs2: -C1 * C2
Xs3: C1 * C2
Xs4: -C1 * -C2

The setting analysis processing unit 36 selects an arbitrary sample point for each of the regions Xs1 to Xs4. Examples of sample points selected from each region are shown in Table 2.

  When the setting analysis processing unit 36 selects a sample point, the port scan start standby state is entered. Then, when the user instructs the start of the port scan, the port scan processing unit 38 fixes the protocol and the end point IP address to the values shown in Table 1. A combination of the start point IP address and the start point port number is sequentially switched to each selected sample point, and the end point port number is set according to Table 1 for each sample point to be sequentially switched. The verification packets sequentially changed in the range are sequentially generated, and thereby the port scan is executed.

  In the above-described embodiment, the number of samples selected in each region is 1. However, the present invention does not prevent the number of samples in each region from being 2 or more.

  In the above embodiment, sample points are selected for a set of combinations of two attributes of a start point IP address and a start point port number. However, sample points can also be selected for a set of combinations of three or more attributes. For example, in the case of a combination of the three attributes of the start point IP address, the start point port number, and the protocol, port scanning can be performed for all protocols at once without changing the attribute setting (S11 in FIG. 1) for each protocol. it can.

  In the above embodiment, the case of verifying the setting of the filter rule of the WAN side filter for the packet sent from the WAN side to the LAN side has been described. However, the present invention relates to the LAN side filter for the packet sent from the WAN side to the LAN side. It is also applicable to verifying the filter rule, the filter rule of the LAN side filter for the packet sent from the LAN side to the WAN side, and the setting of the filter rule of the WAN side filter for the packet sent from the LAN side to the WAN side. it can. For example, when verifying the setting of the filter rule of the WAN side filter for a packet sent from the LAN side to the WAN side, a combination of the end point IP address (the other party's IP address) and the end point port number (the other party's port number) The sample point is selected for the set of, the start point IP address is fixedly set to its own global IP address (global IP address assigned to the router 10), the protocol is fixedly set to an arbitrary protocol, the end point IP address and the end point A combination of port numbers is sequentially changed to each selected sample point and set, and verification packets set by sequentially changing the start port number (port number on the own side) within an appropriate range for each sample point are sequentially set. Can be generated and port scanning can be performed.

  In the above-described embodiment, the verification packet generation device and the test device are built in the network device (router 10). However, the present invention is not limited to this, and it is also possible to generate a verification packet from a computer and supply it to the network device to perform port scanning. The present invention can be applied.

4 is a flowchart showing a procedure for performing a packet filter test (port scan) using a verification packet in the configuration of FIG. 3. It is a flowchart which shows an example of a packet filter process. 1 is a block diagram showing an overall system configuration and functional blocks in a router according to an embodiment of the present invention. It is a figure which shows typically each set of the combination of the starting point IP address and starting point port number in a filter rule. It is a figure which shows typically each set of the combination of a starting point IP address and a starting point port number in the rule setting example of Table 1.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Router (network apparatus), 24 ... Packet filter, 14 ... WAN side, 18 ... LAN side , 22 ... Packet transfer process part, 32 ... Packet filter setting part, 34 ... Port scan setting part, 36 ... Setting analysis process part , 38 ... Port scan processing unit, 40 ... Port scan result output unit

Claims (7)

A plurality of determination conditions related to packet attributes and a packet filter that sets a plurality of rules that define the operation of passing or discarding the packet when the packet attributes meet the plurality of determination conditions. A method for generating a verification packet to verify a configuration,
For a set of a plurality of combinations of a plurality of appropriate attributes of packets, in the entire set, individual areas to which the appropriate plurality of rules correspond independently, and a plurality of arbitrary rules among the appropriate plurality of rules are common Select each sample point from the corresponding individual area, the area where none of the appropriate multiple rules correspond,
A verification packet generating method for sequentially setting a combination of a plurality of appropriate attributes to the selected sample points and sequentially generating verification packets set by sequentially changing other attributes for each sample point . A packet filter in which a plurality of determination conditions relating to packet attributes and a plurality of rules defining the operation of passing or discarding the packet when the packet attributes meet the plurality of determination conditions is set in the packet filter. For verifying the setting of a plurality of rules that are applied to a packet communicated from the WAN side to the LAN side among all the rules of the WAN side filter and the protocol and the destination IP address are commonly set between the rules. A method for generating a verification packet, comprising:
For a set of a combination of a start point IP address and a start point port number, an individual area to which the plurality of rules to be verified are alone in the whole set, and a plurality of arbitrary rules among the plurality of rules are in common Select each sample point from the individual areas to which the multiple rules do not apply,
A protocol and an end point IP address are fixedly set to an attribute set in common between the rules, and a combination of a start point IP address and a start point port number is sequentially changed to each selected sample point, and A verification packet generation method for sequentially generating verification packets set by sequentially changing an end point port number within an appropriate range for each sample point.   A verification packet generation program for causing a processing device to execute the method according to claim 1.   A test method for a packet filter in which verification packets sequentially generated by the method according to claim 1 or 2 are input to the packet filter and the packet filter is operated. A plurality of determination conditions related to packet attributes and a packet filter that sets a plurality of rules that define the operation of passing or discarding the packet when the packet attributes meet the plurality of determination conditions. A device that generates a verification packet for verifying settings,
A packet filter setting unit for storing a plurality of rules set in the packet filter;
A port scan setting unit for storing attributes to be added to the verification packet;
Based on the plurality of rules stored in the packet filter setting unit and the attribute of the verification packet stored in the port scan setting unit, a set of appropriate combinations of a plurality of attributes in the packet is included in the entire set. From the individual areas to which the appropriate plurality of rules are independently applied, the individual areas to which any of the appropriate plurality of rules are commonly applied, and the areas to which none of the appropriate plurality of rules are applicable A setting analysis processing unit for selecting each sample point;
A port scan processing unit that sequentially sets a combination of a plurality of appropriate attributes to each selected sample point, and sequentially generates verification packets that are set by sequentially changing other attributes for each sample point. When
Consisting comprises a verification packet generator. A packet filter in which a plurality of determination conditions relating to packet attributes and a plurality of rules defining the operation of passing or discarding the packet when the packet attributes meet the plurality of determination conditions is set in the packet filter. For verifying the setting of a plurality of rules that are applied to a packet communicated from the WAN side to the LAN side among all the rules of the WAN side filter and the protocol and the destination IP address are commonly set between the rules. A device that generates a verification packet,
A packet filter setting unit for storing a plurality of rules set in the packet filter;
A port scan setting unit for storing a protocol, an end point IP address, and a port scan range as attributes to be given to the verification packet;
Of all the rules to which the protocol of the verification packet stored in the port scan setting unit is applied among the plurality of rules stored in the packet filter setting unit, for a set of combinations of the start point IP address and the start point port number, In the whole set, individual areas to which the plurality of rules to be verified correspond independently, individual areas to which any of the plurality of rules correspond in common, and all of the plurality of rules correspond A setting analysis processing unit for selecting each sample point from a region not to be
A protocol and an end point IP address are fixedly set to an attribute set in common between the rules, and a combination of a start point IP address and a start point port number is sequentially changed to each selected sample point, and A port scan processing unit for sequentially generating verification packets set by sequentially changing an end point port number in the port scan range for each sample point ;
Consisting comprises a verification packet generator. A verification packet generator according to claim 5 or 6 ,
The verification packets sequentially generated by the verification packet generator input to the packet filter, and packet transfer processing unit to run a port scan by operating the packet filter,
A port scan processing unit for inputting a result of passing and discarding each verification packet by the port scan and outputting information of the passed packet based on the result;
A port scan result output unit for sending information of passed packets output from the port scan processing unit to a computer;
A packet filter testing apparatus comprising:

Images